No doubt there has been much groaning going on at Lenovo’s PR department, as no sooner has the Superfish scandal been (kind of) forgotten, another major flaw with Lenovo’s machines has emerged.
Back in February, Superfish caused a major fracas as it turned out to be preinstalled adware that stole private information from Lenovo’s Windows laptops – and while the PC vendor initially denied the software was anything malicious, it quickly backtracked and ditched the program.
And now new flaws in Lenovo’s System Update – which provides patches, drivers and the like to users – have been pointed out. The vulnerabilities were discovered by IOActive (spotted by Gizmodo), and mean attackers could potentially hijack the update system and provide a laptop with ‘updates’ which are actually malware.
The central vulnerability is advisory CVE-2015-2233, an issue with signature validation checks which an attacker (local, or possibly remote) can bypass in order to replace trusted Lenovo apps with malicious software.
IOActive noted: “The System Update downloads executables from the Internet and runs them. As a security measure Lenovo signs its executables and checks the signature before running them, but unfortunately does not completely verify them.”
Apparently Lenovo failed to properly validate the certificate authority chain, allowing an attacker to create a fake certificate, signing off their malware-laden executable.
There are two further flaws to compound this that let even least-privileged users gain high-level access to a machine in order to execute malicious commands and the like.
Kevin Bocek, Vice President of security strategy & threat intelligence at Venafi said: “The system of trust that runs the Internet is very fragile. Failing to validate a certificate properly gives bad guys the powerful weapons they need to circumvent security controls.
“Lenovo joins many others in not being prepared to secure the trust that’s established by keys and certificates. Lenovo like Fandango, Kredit Karma, and an estimated 40 per cent or more of mobile application developers were not able to validate if certificates were from a trusted authority. With every Global 2000 organisation reporting attacks on keys and certificates, according to the Ponemon Institute, the Internet needs an immune system to evaluate what’s really trusted or not.
“Lenovo is certainly not alone in their inability to properly validate digital certificates – this is just the tip of the iceberg. And as this vulnerability shows, if you can compromise certificates, other security controls break down. With a compromised or forged certificate, you can masquerade as a trusted service, hide in encryption, and go undetected.
“Using keys and certificates attempted to solve the first security problems on the Internet – what can I trust and what can be private. But with the rapid rise in vulnerabilities and attacks, now more than ever is the time to take protecting keys and certificates seriously.”
The good news? These problems were actually found a few months back when Superfish first hit the limelight, and IOActive has only revealed them now, after Lenovo has patched its update system.
All Lenovo users need to ensure they update the Lenovo System Update to the latest version as a result – if you’re running version 220.127.116.11 or earlier, then you are at risk when it comes to these flaws.
UPDATE: Lenovo has issues a statement saying: “Lenovo’s development and security teams worked directly with IOActive regarding their System Update vulnerability findings, and we value their expertise in identifying and responsibly reporting them. Lenovo released an updated version of System Update on April 1st which resolves these vulnerabilities and subsequently published a security advisory in coordination with IOActive at: https://support.lenovo.com/us/en/product_security/lsu_privilege.